thepilo
asked on
Router Access List for inter Vlan security
I need to create a vlan that can access the internet and only select internal servers. The vlan ip scheme is 10.1.53.0 and the servers are on the 10.1.100.0 vlan
This is what I have. I can access the server that I have, but I can'nt access the internet. any ideas?
access-list 120 deny ip 10.1.53.0 0.0.0.255 host 10.0.0.0
access-list 120 permit udp 10.1.53.0 0.0.0.255 host 10.1.100.29 eq bootps
access-list 120 permit udp 10.1.53.0 0.0.0.255 host 10.1.100.29 eq domain
access-list 120 permit tcp 10.1.53.0 0.0.0.255 host 10.1.100.51 eq www
access-list 120 permit tcp 10.1.53.0 0.0.0.255 host 10.1.100.220 eq 445
access-list 120 permit udp 10.1.53.0 0.0.0.255 host 10.1.100.220 eq 445
This is what I have. I can access the server that I have, but I can'nt access the internet. any ideas?
access-list 120 deny ip 10.1.53.0 0.0.0.255 host 10.0.0.0
access-list 120 permit udp 10.1.53.0 0.0.0.255 host 10.1.100.29 eq bootps
access-list 120 permit udp 10.1.53.0 0.0.0.255 host 10.1.100.29 eq domain
access-list 120 permit tcp 10.1.53.0 0.0.0.255 host 10.1.100.51 eq www
access-list 120 permit tcp 10.1.53.0 0.0.0.255 host 10.1.100.220 eq 445
access-list 120 permit udp 10.1.53.0 0.0.0.255 host 10.1.100.220 eq 445
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That worked. I'm curious as to the reason for the last 2 statements.
Actually, I allowed the implied "deny any any" to stand as is. With his requirements, it sound to me like anything that makes it to the end of the list should NOT be allowed.
WGhen
WGhen
ASKER
I did try that permit any any previously, but then it allowed every thing.
But this config works..
But this config works..
Uhhh wait, scratch that, the permit any any at the end could also have been...
access-list 120 permit ip 10.1.53.0 0.0.0.255 any
After you permit stuff to reach your server, you then want to specifically permit stuff to reach ANYTHING BUT you network. That is what the last two lines do.
access-list 120 permit ip 10.1.53.0 0.0.0.255 any
After you permit stuff to reach your server, you then want to specifically permit stuff to reach ANYTHING BUT you network. That is what the last two lines do.
Jorg01, You've confused me. The permit any any is there.
???
???
Did I make it clear?
Access lists function line by line. A packet is checked against each line in order UNTIL it finds a match. So in your access list you have permitted all the things you wish to allow in the first six lines. So in the seventh line I block all traffic going to your entire network (but nowhere else, like the internet) assuming that you've permitted everything you wanted to permit first. Everything that makes it to the last line then, is traffic destined for somewhere else, i.e. the internet and you wished to permit that.
Have I made that perfectly cloudy now?
WGhen
Access lists function line by line. A packet is checked against each line in order UNTIL it finds a match. So in your access list you have permitted all the things you wish to allow in the first six lines. So in the seventh line I block all traffic going to your entire network (but nowhere else, like the internet) assuming that you've permitted everything you wanted to permit first. Everything that makes it to the last line then, is traffic destined for somewhere else, i.e. the internet and you wished to permit that.
Have I made that perfectly cloudy now?
WGhen
PS
I don't think your first line is doing anything.
access-list 120 deny ip 10.1.53.0 0.0.0.255 host 10.0.0.0
You should get rid of it unless you really have a server (host) with the address 10.0.0.0
I don't think your first line is doing anything.
access-list 120 deny ip 10.1.53.0 0.0.0.255 host 10.0.0.0
You should get rid of it unless you really have a server (host) with the address 10.0.0.0
Damn, now i'm also doubting about it.
If you're not sure if your Access list is working place a log command at the end of each statement. If the access-list is hit it will be shown in the routers log.
I think the command logging monitor should also be inserted.
Don't do this too long or the routers log will be overwhelmed with acl info and more important info will be lost
If you're not sure if your Access list is working place a log command at the end of each statement. If the access-list is hit it will be shown in the routers log.
I think the command logging monitor should also be inserted.
Don't do this too long or the routers log will be overwhelmed with acl info and more important info will be lost
ASKER
I think that makes it much more clear to me in understanding how the ACL's work. they have alway's confused me a bit. thanks for all the help. I think you are right that the first line does nothing.
You forgot the permit any any as an access-list default action at the end of the list is deny all